Ramblings about security, rants about insecurity, occasional notes about reverse engineering, and of course, musings about malware. What more could you ask for?

Tuesday, November 29, 2016

Fractional voting - how did they get this so wrong?

As we all know, there's no shortage of hoaxes on the Internet. After writing about election hacking the other day, someone responded to me that hacking has already been demonstrated and offered this YouTube video as proof. The video was produced by Bev Harris from blackboxvoting.org.

The guy in the video who is supposedly a computer savvy professional explains that the reason he's sure the GEMS election reporting software is subject to hacking because votes can be counted in fractions. The proof? The database schema can support integer, single precision floating point, or double precision floating point for the vote counts. Sure, storing integers a as a float is stupid from a space perspective, but the fact that the schema allows for it isn't malicious by itself.

Do people take this seriously? Um, unfortunately yes...

He shows in the video how he can write software to restrict voting to a particular percentage by using fractional votes. But there's a chicken and egg problem here - how do you get access to this data in the first place and is there an audit trail? Also, sure you can do math with floating points given the access they demonstrate, but you could do it with integer votes too. Further, the idea that the GEMS election tally system would allow for single and double precision floating point is a feature. Some areas of the world do Cumulative Voting so this would be one way to store that data.

But besides common sense, how do we debunk something like this? Well, examine the video at around 10:10. The supposed computer expert explains single and double. He explains that a double can use between one and two decimal places and a single can use between zero and one (or something to that effect). He has no idea what these terms mean. Wikipedia has a better idea of what a double precision floating point number is. But that's the problem. Many will see this video and the supposed demonstration and be fooled because they have no idea what this "savant" is doing.